ctucx.git: dns.nix

fork of https://github.com/kirelagin/dns.nix

path: /dns/types/records/DNSKEY.nix 1.65 KB | plain
1 
2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 
26 
27 
28 
29 
30 
31 
32 
33 
34 
35 
36 
37 
38 
39 
40 
41 
42 
43 
44 
45 
46 
47 
48 
49 
50 
51 
52 
53 
54 
55 
56 
# SPDX-FileCopyrightText: 2020 Aluísio Augusto Silva Gonçalves <https://aasg.name>
#
# SPDX-License-Identifier: MPL-2.0 or MIT

# RFC 4034, 2

{ lib }:

let
  inherit (builtins) isInt split;
  inherit (lib) concatStrings flatten mkOption types;

  dnssecOptions = import ./dnssec.nix { inherit lib; };
  inherit (dnssecOptions) mkDNSSECAlgorithmOption;
in
{
  rtype = "DNSKEY";
  options = {
    flags = mkOption {
      description = "Flags pertaining to this RR.";
      type = types.either types.ints.u16 (types.submodule {
        options = {
          zoneSigningKey = mkOption {
            description = "Whether this RR holds a zone signing key (ZSK).";
            type = types.bool;
            default = false;
          };
          secureEntryPoint = mkOption {
            type = types.bool;
            description = ''
              Whether this RR holds a secure entry point.
              In general, this means the key is a key-signing key (KSK), as opposed to a zone-signing key.
            '';
            default = false;
          };
        };
      });
      apply = value:
        if isInt value
        then value
        else
          (if value.zoneSigningKey then 256 else 0)
          + (if value.secureEntryPoint then 1 else 0);
    };
    algorithm = mkDNSSECAlgorithmOption {
      description = "Algorithm of the key referenced by this RR.";
    };
    publicKey = mkOption {
      type = types.str;
      description = "Base64-encoded public key.";
      apply = value: concatStrings (flatten (split "[[:space:]]" value));
    };
  };
  dataToString = { flags, algorithm, publicKey, ... }:
    "${toString flags} 3 ${toString algorithm} ${publicKey}";
}